clojurescript

roklenarcic 2025-08-18T12:09:55.870309Z

Is is possible to use ClojureScript with CSP headers? It seems to demand “unsafe-eval” permission

p-himik 2025-08-18T12:17:51.571619Z

Are you deploying a development artifact, by any chance? Or maybe your code uses js/eval? What exactly in your compiled code requires that permission?

roklenarcic 2025-08-18T12:25:26.151209Z

SHADOW_ENV.evalLoad("goog.debug.error.js",true, "goog.loadMo...

roklenarcic 2025-08-18T12:25:58.872359Z

a bunch of stuff is calling goog.globalEval

roklenarcic 2025-08-18T12:26:12.060949Z

unfortunately the whole module is in one line

roklenarcic 2025-08-18T12:26:28.527189Z

SHADOW_ENV.evalLoad("goog.dom.nodetype.js", true, "goog.provide
also fails

roklenarcic 2025-08-18T12:26:33.212179Z

and so on

p-himik 2025-08-18T12:30:45.973299Z

That's a development build. Why are you deploying a development build?

roklenarcic 2025-08-18T12:34:46.604699Z

I am not, but I am testing all the same

roklenarcic 2025-08-18T12:34:56.953939Z

let me check release build

roklenarcic 2025-08-18T12:39:53.454079Z

hm same thing

p-himik 2025-08-18T12:40:28.904779Z

Can you share a screenshot with the error?

roklenarcic 2025-08-18T12:40:54.221459Z

I get about 10 of these:

roklenarcic 2025-08-18T12:41:33.888469Z

the lines at the base correspond to these load lines:

roklenarcic 2025-08-18T12:41:59.990989Z

:recipe-components-release {:target :browser
                                      :output-dir "target/js"
                                      :asset-path "/js"
                                      :modules {:recipe-widgets {:entries [roklenarcic.cookery.docs.recipe-widgets]}}
                                      :compiler-options {:optimizations :advanced
                                                         :infer-externs :auto}}

roklenarcic 2025-08-18T12:42:04.083999Z

this is the build

roklenarcic 2025-08-18T12:42:17.123509Z

in the shadow-cljs.edn

p-himik 2025-08-18T12:42:54.851529Z

I don't know what else to tell you, these are all from a dev build. There should be no SHADOW_ENV in the production build at all.

roklenarcic 2025-08-18T12:42:55.078349Z

Got my CSP in meta element:

<meta content="default-src 'none';style-src 'nonce-AAABmL0jbAr1aXc5H2iN5oR1G5YAY8EFe4jdA-BmjK8' ;font-src 'self'  ;script-src 'sha256-C9Pc74x5BP660fRg4HJ6AmFM9IpoprZO7TSDFKmjYzw=' 'nonce-AAABmL0jbAr1aXc5H2iN5oR1G5YAY8EFe4jdA-BmjK8';connect-src :*" http-equiv="Content-Security-Policy">

roklenarcic 2025-08-18T12:43:26.569009Z

I ran shadow-cljs compile recipe-components-release

roklenarcic 2025-08-18T12:44:08.438799Z

ok running shadow-cljs release recipe-components-release

roklenarcic 2025-08-18T12:45:10.098089Z

Ah I see, release is a different process, I thought that release build just means advanced optimizations

roklenarcic 2025-08-18T12:45:18.345059Z

yeah now that’s gone, thanks

👍 1
roklenarcic 2025-08-18T12:47:14.090149Z

I guess I need to make provisions to include unsafe-eval for dev

p-himik 2025-08-18T12:50:47.328329Z

But why would you deploy a dev build in the first place? It's giant, it's slow. If you need better debugging experience, just make sure you have source maps and enable pseudo names in the build options.

roklenarcic 2025-08-18T13:03:50.151659Z

I don’t deploy it, I just open the generated HTML page

p-himik 2025-08-18T13:07:58.256899Z

Opening a local HTML page as a file brings its own limitations, so you should probably use a local web server. And when using anything local that you control, there's no point in CSP at all.

👍 1
thheller 2025-08-18T13:25:17.744269Z

FWIW you do not usually need a dedicated release build. and those :compiler-options in the build config above are the default. so setting them does nothing, might as well remove them 😉